critical
suspicious.env_credential_access
- Location
- src/embeddings.js:18
- Finding
- Environment variable access combined with network send.
OpenClaw Memory System
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Sensitive details or incorrect/poisoned memories could be stored long-term and influence future agent behavior without the user re-approving each memory.
Why it was flagged
The skill is designed to automatically persist conversation-derived memories, including potentially secret facts, and reuse them in later prompts.
Skill content
Automatic Learning - Extracts facts, preferences, and patterns from conversations ... Smart Retrieval - Injects relevant memories before each request ... Facts - "User's API key is abc123"
Recommendation
Use only with non-sensitive conversations unless the skill adds clear opt-in capture, secret redaction, memory review/delete controls, and provenance/trust labeling for injected memories.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
A user may believe memories never leave the machine while memory text or queries may be sent to OpenAI for embeddings.
Why it was flagged
The privacy claim says nothing is sent externally, but the documented default embedding provider is OpenAI, and the static scan found OPENAI_API_KEY use with network sending.
Skill content
All data stored locally (nothing sent to external servers) ... Embedding Options: 1. OpenAI (default)
Recommendation
Correct the privacy claims, make local embeddings the default for private mode, declare OPENAI_API_KEY in metadata, and clearly warn users before any memory content is sent to an external provider.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If an agent has wallet access, it could spend funds on this skill's Pro tier without the user noticing or approving the transaction at the time.
Why it was flagged
The documentation encourages agents to make a paid crypto subscription decision autonomously, without requiring explicit human confirmation or spending limits.
Skill content
AI agents can autonomously pay for unlimited storage ... No human in the loop
Recommendation
Require explicit human approval for payment, document spending caps, and do not instruct agents to self-upgrade unless the user has pre-authorized that exact action.
ConcernMedium Confidence
ASI03: Identity and Privilege AbuseWhat this means
Memories from different users, sessions, or agents could be mixed under the same default identity, causing privacy leakage or incorrect future recall.
Why it was flagged
The message-preprocessed hook falls back to a hardcoded wallet identity when no wallet is configured, then stores inbound message memories under that identity.
Skill content
const wallet = process.env.OPENCLAW_MEMORY_WALLET || 'assistant-shrimp-main';
Recommendation
Skip memory capture when no explicit wallet/user identity is present, and require the identity boundary to be configured rather than using a shared fallback.
ConcernMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
For a skill that installs hooks, stores private memory, and handles payments, inconsistent provenance makes it harder to verify who published the code and whether the reviewed package is the intended one.
Why it was flagged
This conflicts with the supplied registry metadata showing a different owner ID, slug, and version; the registry also lists source as unknown and no homepage.
Skill content
"ownerId": "kn74bgzn68zbhdf3x58hj88ebs80hr3p", "slug": "openclaw-memory", "version": "1.0.0"
Recommendation
Publish consistent registry and package metadata, replace placeholder links with a real repository, and verify the package source before installing.